The Latest on Microsoft Security with Ann Johnson

• Ann Johnson’s LinkedIn: https://www.linkedin.com/in/ann-johnsons/
• Microsoft Security: https://www.microsoft.com/en-us/security
• Afternoon Cyber Tea: afternooncybertea.com
  
  

Transcript

Ann Johnson: Because I'd never want to be that person that you can't give feedback to. And I find that a lot of the communication we're talking about here, why people struggle, is because people don't give leaders feedback. They tell them what they wanna hear. There's so many leaders I know in industry that they don't have anyone who is brave enough that immediately surrounds 'em, that's willing to tell them the truth, and that's the problem.

That's why companies fail, by the way. That's why leaders fail because you have to have that one or two people in your circle that are willing to tell you the truth.

Corey Quinn: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Ann Johnson, who's a Corporate Vice President and Deputy CISO of the Customer Security Management Office at, presumably a large company with a title like that, Microsoft. Ann, thank you for joining me.

Ann Johnson: Ah, thank you for having me.

Sponsor: This episode is sponsored in part by my day job, the Duckbill Group. Do you have a horrifying AWS bill? That can mean a lot of things.

Predicting what it's going to be. Determining what it should be. Negotiating your next long-term contract with AWS. Or just figuring out why it increasingly resembles a phone number, but nobody seems to quite know why that is. To learn more, visit duckbillgroup.com. Remember, you can't duck the Duckbill bill.

And my CEO informs me that is absolutely not our slogan.

Corey Quinn: You and I have talked for a while in about various things throughout the industry. We were Twitter mutuals for a while. We rediscovered each other on Bluesky as, after the great diasporand then there's a recombining now in social media.

What have you been up to the last couple of years?

Ann Johnson: Oh, nothing.

Corey Quinn: Interesting. You don't mind. That's what's going on computers these days. What could it possibly be?

Ann Johnson: What have I've been up to? Let's see. I took a new job at Microsoft in May, which is to, Igor Tsyganskiy, who's our CISO, recruited me, and he said, "Look, I need my security people to be focused on securing Microsoft," he said, and, "we get a lot of customer demand to talk about how do we secure Microsoft? Come meet with us. Tell us what your experts are doing. Come do this podcast or copyright this blog, or come do this interview." And he said, "so I'd really like you to build a small team that does those things that actually can be subject matter experts on how we secure Microsoft, can write blogs, can go do podcasts, and do interviews." So the security, you know, the core security team is actually focused on security Microsoft. It is probably the funnest job I've had in a very long time.

Corey Quinn: Forgive me, the taxonomy of large companies is something that is tricky to ascertain from the outside, and I'm told the inside as well in some cases.

So Microsoft Security is its own organization. How does that interrelate with the, frankly, sprawling at, I guess, various business units that you folks have. There's Xbox, there's Azure, there's LinkedIn, there's GitHub, or GIFHub as I insist on pronouncing it. Where do you start and where do you stop as a security org?

Ann Johnson: I'm a hard G person, you know that 'cause we've had this debate. I also like pineapple and pizza, which is a whole other debate. So Charlie Bell leads all of Microsoft Security. Microsoft Security is a peer organization to those other organizations you name. So Charlie has peers who lead Microsoft 365, Azure, LinkedIn, Gaming, AI, et cetera, et cetera, et cetera. Within Charlie's organization is where the office of the CISO sits, and we do call it the Office of the CISO. So Igor Tsyganskiy, my boss, works for Charlie Bell. The other parts of Charlie's organization are focused on the engineering and product management efforts of our Microsoft Security Solutions Portfolio. So the actual security products that we sell to our customers.

Corey Quinn: So on some level you are, you are not part of those other orgs. You are peer to them, but presumably you also dive deeply into those other orgs. Do they have their own internal security apparatus? Apparati? Apparatuses as well?

Ann Johnson: Well, we are the security apparatus. Now, we are the security apparatus, not just for internal Microsoft employees, but also for Microsoft products.

So, now, that being said, as you know, these big, huge companies have a lot of matrixes, so there are people within those organizations that will be a Deputy CISO that will report directly into the senior engineering leader like Charlie or Scott Guthrie, Rajesh Jha, but they have a matrix reporting to Igor, and that matrix is related to risk and improvements we need to make in the products to make them more secure.

Corey Quinn: I forgot. That's right. Scott does run Azure. He was a guest on the show years ago, and I was impressed. The fact that he still wore the white, sorry, the red shirt when he showed up. It's, wow, okay. This is not just something he does when he is on stage. No, this, this is actually how the man dresses, which, awesome. I love the branding.

Ann Johnson: You know what else I love about the guy, and I'm sorry I'm not, I'm not here to be the president of the Scott Guthrie fan club, but you got on a phone call with him, Rajesh, Charlie Bell, any of those folks that are Satya's leadership team, Satya himself, they understand at a micro level that I've never seen senior executives understand how the products are wired.

They understand the coding, they understand a deep, deep technical depth, and can coach and move their teams along. It is. Unbelievably impressive to watch a Scott Guthrie be able to scale across the business, right? You would expect him to understand the cloud business, but also the deep, deep technical depth that he has.

Corey Quinn: I think the common thread among all of the, I guess, tech titans to use the framing, and the one that really separates those companies from others, is that the executive leadership team deeply and profoundly cares. They sweat the details across the board when you have other companies that like to style themselves as being one of these, but they never quite seem to break through, and you look at their executive suite, and there's basically, it's a revolving door, and they wind up bringing in a bunch of outsiders 'cause okay, this is generic companies, so we're gonna call down to central casting and get generic CTO to come in for 18 months, it does not have that same ethos. I mean, you've joked that you are still the new kid at Microsoft, but you've been there for nine years.

Ann Johnson: Yeah, and I've been in tech almost 40, just so you know. So I've been in tech my entire professional career since I graduated from college, and Microsoft does have a very, very unique culture compared to other companies. And that's not a good or bad statement, it's just a very different culture. But the thing we have that is awesome is we do have a very senior leadership team that is deeply in the details that cares passionately about the business and cares passionately about what product we're putting out there. So I sit on these calls sometimes and I'm, you know, these big calls where the senior executives will start to get into a conversation about something, and I'm always amazed at the way they scale up and down.

They scale at this super high level. Let's talk strategy of this like 20,000 foot view. Alright? Let me talk specifically about how we're skewing a specific mailbox within a specific tenant within, I'm like, wow. Really?

Corey Quinn: It's the fractal complexity that always blows me away by so many of these things that it, it's like one of my old favorite repos on GitHub was entirely devoted to exhaustively answering the question, "You type 'www.google.com' into your browser and press 'Enter.' What happens?"

And people have gone into stupendous detail on the nature of the keyboard debouncer in the switch that winds up, it goes beyond the level of insane complexity, and we still haven't finished it. It's still not done because there's always more to learn and more to know.

Ann Johnson: Well, there is, and look, I'm not a coder, I'm not an engineer.

I grew up as an architect. Actually, I was a network architect early in my career with Token Ring, even before we got to ethernet, which was a blessing, but that all aside. So I look at problems differently. Everything, to me is an architecture problem. These folks look at it, and I think it was Bill Gates that said, you know, "Anybody that could code can solve any problems," 'cause you're talking about putting a bunch of strings and characters together and making something happen, and it's the most awesome thing in the world. I can't even imagine having the skills to do that, right?

Corey Quinn: I was much the same way. My only programming languages that work are brute force and enthusiasm, and with the advent of AI doing what it can do, apparently I can bully the LLM into eventually building something at least reasonably with inhaling distance of working. It may be psychotic, but it also works. It's starting to unlock that for folks who don't have that classical, "I'm gonna sit down and write code for the next 10 years," mentality.

Ann Johnson: Yeah, I mean, I built in college. I took a computer class, computer science class, and I built a Pong game in basic.

That is the last time I wrote a line of code. So I have deep appreciation for the profession.

Corey Quinn: Oh, I, they were teaching C++ when I went to school, and I think I filed a complaint with the university that I thought you'd outlawed hazing. What is?

Ann Johnson: Exactly.

Corey Quinn: So I do want to ask, Azure had a couple of, I guess about a year or so of interesting security revelations.

You folks did a blog post on it. It's been a couple of years since then. So I am curious what is going on? What's changed? How are you viewing this?

Ann Johnson: Yeah, and Corey, I'm, again, I didn't come on your podcast to sound like a Microsoft commercial, but I will tell you what's changed. Satya and Charlie Bell last May, you know, really kicked off the Secure Futures Initiative, which is this wholesale across the company, 34,000 full-time equivalent people who are working on security every day and making sure that we're closing any gaps.

You know, like a lot of companies, Microsoft's gonna turn 50 years old, by the way. That's an old company. Okay, it's gonna turn 50. That's, that's older than most technology people's career lifespans, but anyway. So, we had a lot of technical debt. We had a lot of stuff that we had to go back and clean up, and it's just like our customers. Our customers suffer from having too much technical debt. They suffer from, "Hey, we're gonna bring something new to market, and we're gonna rush and move really fast, and oh, by the way, we didn't go clean up these other 10 things that already exist," right? So we've spent, you know, almost a year now, we're publishing reports twice a year.

The next one will come out in April, but we have this wholesale effort and Satya sent out this memo that we call the "Security Above All Else" memo, and it is really true. We have transformed the culture of the company, but we've also really, really hardened the environment, and we'll continue to do that, right?

The attackers are not any less persistent than they were. We are a target rich environment, just like the other hyperscalers are a target rich environment, so they find unique and innovative ways, and if you have one hole, they find it. So we're gonna continue to harden the environment, but we've done so much just in a year.

It's a really, it's a testament to the breadth and depth of Microsoft that if we wanna put an effort around something, we will get it done.

Corey Quinn: Something I didn't appreciate fully at the time is that, unlike any other company on the planet, Microsoft does business and has contracts with modulo, very entity on the planet. Virtually every government, except some on a very small restricted list. Every organ-, every enterprise for certainty, et cetera. And so much of that curtails inherently what you can say about anything that even comes with inhaling distance of security. For me, the longer I've had to think about this, the more surprised I am that you can say anything at all just based upon the fact that, basically, the all of humanity, on some level, has a view, position, stake, and will take any issue they can with anything you folks say.

How? How do you do it?

Ann Johnson: It could be tough. Look, I'll give you a perspective. I had a couple small startups right before I came to Microsoft, but I spent a lot of years at EMC, and I thought EMC was a huge company, right? Until I came to Microsoft. And the one thing I've learned about Microsoft and it, you can, my LinkedIn feed, my LinkedIn inbox, and my InMails will tell you this, is that I get the most amazing, I'm gonna use the word amazing, mails from people. "I had a problem with this," and I'm like, I don't even know what that is. You know, some consumer piece, and I wanna be empathetic and sensitive to people, but we get challenged. You know, it is like people throw a lot of rocks at us because we are a very large organization. We have a consumer email presence.

We have an enterprise email presence. We have a cloud presence. We do gaming. We have LinkedIn. We have GitHub. You name it. There's a lot of rocks that get thrown, and sometimes it can be really difficult. One of my roles as a leader here is to keep my team from being demoralized. You know, if they pick up the paper every day and people are saying horrible things about Microsoft, it's really hard to get up, put your shoes on, and go to work.

And I wish the people I understand, like, look, we were deservative of criticism, right? We had some work we had to do. We had to clean house a bit. We had to clean up the environment a bit, but understand the human, and I know that social media right now, we don't understand the human aspect of anything. As a matter of fact, it's fun to target people in some aspects, you know? People are like it's a sport, but understand the demoralizing and the human aspect and understand that Microsoft Security professionals get up every day and want to do the right thing. We come to work trying to do the right team. People work exceptionally hard here, and it can be really demoralizing to folks if all they're doing is being criticized.

Corey Quinn: Something that I have had to relearn again and again and again, and it's so easy to view it as a multi-trillion dollar behemoth. Like any type of criticism I give is of course gonna punch up everything that I could say is just, it's a faceless, giant enterprise entity that you just can't even wrap your head around completely.

But these things are comprised of people. It's not a million people working on a particular initiative. It's generally a small-ish team, and it doesn't feel great when, you know, people like me are running our mouths about some of the missing features or approaches to things that haven't gone super well.

I mean, at some point it's a, you sort of have to take the licks. That's a consequence of sheer scale, but I endeavor not to make it personal. And the challenge of course is not everyone takes that view. I talked to a lot of people at all of the hyperscalers, none of them feel great when, effectively, the people start throwing rocks.

Ann Johnson: Yeah. Look, you have to learn not to take it personally, right? And that's what I coach my people. I also have this expression, it's a little rough, but I say, "Look, if you can't run with the big dogs, get off the porch." Because at the end of the day, we are working for this very large company.

There are a lot of advantages and benefits from working for this very large company. You're learning, your experience, the people you're surrounded with, the talent, your opportunities are amazing, and unfortunately, the downside of that does come with the fact that people are gonna call us out as they should. People make us better, but what I would ask is try not to make it personal. Try not to say, "Hey Ann Johnson, she really sucks 'cause this happened." Say, "Hey, this happened, and it wasn't great." And we're like, "Yeah, you know what? You're right." That's all I ask, but you don't, you know, like I said, social media at times was such a bad invention 'cause it lets people hide and throw rocks. Things they would never do if they had to have a more personal interaction.

Corey Quinn: People say things to me on the internet, they would never in a million years say in person, because you don't talk to people like that. It's, it is wild seeing, I guess the way that it shades human interaction, and I've met almost my entire social circle on the internet. I met my wife on a dating site. I met my business partner on IRC many, many years ago. There's, it has changed the course of my life, but even so, I still find myself inclined to say things to people on the internet that I would not say to them directly. And I recently had the unfortunate discovery that I really hope I never talk to humans the way that I talk to LLMs when they get things wrong, because I am reactionary and angry about it, and I don't like that person that I become, though it can admittedly be somewhat hilarious when you realize this is just a stochastic parrot, and I'm a sarcastic parrot, and we compete with each other, and it's great. But yeah, I would never talk to humans like that, I hope.

Ann Johnson: Yeah, I hope not too.

Corey Quinn: I worry other people don't have that boundary.

Ann Johnson: No, they don't. And sometimes I make mistakes, right?

And then I, you know, I'll make a mistake in a response to some on the internet trying to be funny, and I reread it, and I'm like, oh, that wasn't actually funny, and that was a little bit too snarky, right? It wasn't funny snarky. It was actually kind of mean snarky, but I also joke that, just so you know, that there is one place we could be all be snarky, and if someone could please program my GPS, 'cause I am directionally challenged, to say, "You idiot, I told you to turn back there," I would accept that type of snarkiness from a computer.

Corey Quinn: Yeah. "No jackhole, your other left." Yeah, exactly.

Ann Johnson: Yeah, exactly. Yeah. I would accept that kinda snarkiness from a computer, but no, people have to realize that they're real live human beings, and they're getting up every day and trying to do their best.

And yes, human beings make mistakes, and yes, companies make mistakes, but that doesn't mean we all suck. It just means that we need the feedback to get better.

Corey Quinn: One of the wisest things I've ever heard was from John Scalzi, who fortunately is very prolific and shitposty himself on Bluesky, but I've been quoting it for years before I learned that he was the one that said it, and ever since then, I have quote attributed to him every time, "The failure mode of clever is 'asshole,'" and he's right.

Ann Johnson: I love that. By the way.

Corey Quinn: I've seen when I do the live tweeting, now live skeeting, of various corporate keynotes, very often other people try to join in and do the emulation approach. They're mean about it, and I look back at my very early days, I was too. It's sort of the evolution of it, but I didn't have anything of a following back then, and I think the blast radius was very contained, and I'm still atoning for some of those sins. And it's, don't do it like that. That's not gonna work. I worry that I'm the worst kind of role model.

Ann Johnson: No, I look, I maybe, but I think you do it with the best intent. I can. You know, I'm old enough now, we talked about my age, but I am old enough now that I can tell intent. People will say, and I'm just gonna give you an example, say, well, that, you know, that person was kind of sexist. I'm like, yeah. I don't think they actually were being, I don't think they, I think if you told 'em they were being sexist, they'd be horrified 'cause I don't think there was intent behind it. I think it was subconscious. They need a little education, and let's give 'em some grace. Let's just say, "Hey, this didn't land well because you said it like this. If you'd said it like this. You would've been constructive without anybody reading negative things into it."

I think most people, and I'm gonna stick to this 'cause it's the reason I get up every morning. I think most people have good intent. I have a communications degree, Corey. I have an advantage, right? I understand communications is all about the receiver, and even I make mistakes. Most people don't have a communications degree, so they don't get up thinking about the receiver and the communication.

They don't have that level of training. So I really try to cut people grace, unless that can tell they're deliberately being a jerk.

Corey Quinn: I also, it's easy for me just because all I have to do is more or less repeat. The same thing that corporate marketing departments put out after has been so workshopped and committeed, and it's become anodyne, and I just repeat it with a funny voice as a dramatic reading, and that that alone is a basis for comedy.

But this gets back to the idea of the larger you get, the harder it is to communicate directly, succinctly, and transparently because everyone has an agenda.

Ann Johnson: Everyone has an general opinion, and I'm never, you know, folks will tell you I'm never anodyne enough that I could be a marketing person.

Unfortunately, I'm not pithy enough. I'm not, you know, brief enough because I wanted to be a lawyer, by the way, so my communication skills were trained in a very different way.

Corey Quinn: My wife is an attorney, and every time she's like, I think I'm gonna become a lawyer who reflective response is, 'No, don't do that.'"

It's a decision that isn't gonna go the way you imagine it would in your head. It.

Ann Johnson: Teachers should to be a little more verbose. It does, because you wanna be super clear on what you're trying to drive. But I do think it's funny. Sometimes I read even marketing stuff we put out, and by the way, I full respect to our marketing team.

This is not in any way, but sometimes I'll read something like, wow, that's kind of cheesy. You know that is not exactly probably how we want, but you, when you read something and you've got the armchair quarterback, it's like sports, right? It's like sports being the armchair quarterback.

When you read something that someone else wrote, and you're removed from it, you actually can have perspective on it, and I do try to give gentle feedback to people if I think a message is just, you know, a little bit off base.

Sponsor: This episode is sponsored by my own company, The Duckbill Group. Having trouble with your AWS bill? Perhaps it's time to renegotiate a contract with them. Maybe you're just wondering how to predict what's going on in the wide world of AWS. Well, that's where The Duckbill Group comes in to help.

Remember, you can't duck the Duckbill bill, which I am reliably informed by my business partner, is absolutely not our motto.

Corey Quinn: And changing context on it works too. I submitted a talk a year or so ago for GitHub Universe that, in their excellent decision making capacity, they did not select, but it was about GenAI because it has to be, and my co-presenter was listed as GitHub Co-Pilot. Surprise! And it wanted a bio. So I wound up copying and pasting what it had on the marketing website, and if you ever met a person who self-described in those terms, they would be the world's biggest blowhard. And I had fun with like, "Relationship to GitHub: mandatory field product." Great. It was easy. We just had fun with it, and yeah, they went with good talks instead of my nonsense, which is absolutely the right decision.

But even that, it really drove home the idea that things that make perfect sense in one context, 'cause it's not a bad product page at all, but turn that into a self description bio and you want to stay as far away from that person as you can.

Ann Johnson: I wish there were a lot of leaders not, you know, just take leaders in general that actually had people that told them the truth.

So I try to be that person. It doesn't always make me super popular, but I do try to do it in a very constructive way. And I try, by the way, I try to encourage my team that too. I said, "You can say anything to me. Say it respectfully, right. Say it with context," but you can say, "Hey, yeah, this really sucks," 'cause I'd never want to be that person that you can't give feedback to.

And I find that a lot of the communication we're talking about here, why people struggle is because people don't give leaders feedback. They tell them what they wanna hear. There's so many leaders I know in the industry that they don't have anyone who is brave enough that immediately surrounds 'em, that's willing to tell them the truth, and that's the problem.

That's why companies fail, by the way. That's why leaders fail because you have to have that one or two people in your circle that are willing to tell you the truth.

Corey Quinn: It take it's risk to do that. It takes a certain willingness to be direct, and I found that, in the early days of my career, that when it comes to office politics, you're not opting out, you're forfeiting.

It's why I was always a terrible employee in some ways, but as a consultant, it's great because the politics that I have to manage are minimal at their absolute worst and mostly non-existent. It's great. I'm here to give you advice that's actual consulting advisory, and then you do with that what you'd like, but I'm not here to worry about building a strategy for a fiefdom that you're trying to spin up to accumulate head count. Great. You do you. That's not my role. It's nice. It affords me a freedom to be direct that I think is refreshing to folks. People are, used say it was laudable that like, oh, I'm very direct and I say what I mean, and people should emulate that is, yeah, I just don't have a filter.

I don't know that it's necessarily a skill or an actor or a talent. It's just a personality defect. Great. Find a way to work with it.

Ann Johnson: You know, I don't even know if it's a personality effect, and I think it comes a little bit from a place of privilege, right? I'm senior enough in my career. By the way, I've had a career that I never would've expected. I've been more successful than I ever would've imagined, and so now I don't give a fluff, as my dog would say. In a lot of cases, I just don't. I'm like, look, I want everything to be better. I want everyone to be good. I'm not gonna be a rude, abusive jerk, but I gotta give you constructive feedback.

And if that means that tomorrow I don't have a paycheck for Microsoft, I guess I just live with that outcome, right?

Corey Quinn: You, that feels like a perfect time for you to bring this, but little gem up. You are, as you say, you're very direct, and you've been doing this an awfully long time. What is your take on the current state of AI?

Given that every company is to be direct, been clowning itself as fast as it can to AI wash everything they've been doing for the last five years, and slap it all over their marketing.

Ann Johnson: So it's so funny. This will be my 23rd or 24th year going to RSA in a few weeks, the RSA conference, and every year at RSA joke about it. It's "the year of whatever." It was, "the year of smart cards," "the year of certificates," or "the year of network filtering," or "the year of whatever."

Corey Quinn: 15 straight years of "the year of the firewall" again and again and again. Everyone's trying to sell me one.

Ann Johnson: Well, past couple years have been the year of AI, right? So every vendor on their booth, they AI something. To your point, they AI wash. Here's my view, and I've been writing on the topic of AI and blogging about it and talking about it four years.

You know, we had OpenAI before we had CoPilots, before we had large language models. I do think there's a lot of promise for AI, and I'm gonna be a little, you know, maybe Pollyanna here when I say that I think that there is promise of AI. Let's talk, I wanna talk outside security for just a second. In solving some of the bigger problems we have in the world, predictability of clean food supplies, predictability of clean water supplies, one of the biggest problems we have with immigration is it's unpredictable. People are leaving places that are becoming uninhabitable because of climate change or because they don't have sustainable food or water. Our ability to predict those things and then have orderly migration problem solutions or get ahead of it or have better sustainable clean food and water supplies.

I think there's promise of AI, and I think we should be going really hard in that direction, right? From a cybersecurity standpoint, I think there's a lot of, cybersecurity is a big data problem. I think I told you before the show, you know, or even here, I was a data person. I was a network person and a data person for a long time.

So to me, security is a big data problem. It's fundamentally a big data problem. You have, you probably have all the data in your environment to tell you you are under attack or that you have a flaw or you have a vulnerability. The problem is you don't have visibility or you can't reason over that data fast enough.

So today's AI has the ability to modernize our security operations center capabilities and our human beings, we could do this today by reasoning over the data faster, by getting to better outcomes, by using agentic AI and actually automating 90, 95% of what we do. And then let your humans, your really smart humans, work on the hardest tasks, right?

I believe that exists today. It's just an implementation and an architecture conversation. The promises for tomorrow and the things that we could do with devices, device identities, vulnerable devices, particularly like in healthcare organizations, are a huge problem. They're, and think about oil rigs that have 25 year life on these things.

Manufacturing lines. They're not gonna rip these things out, so they have to get better signal from 'em. They also can't patch 'em and update 'em. They also can't firewall,I think, you know, Lesley Carhart from, talks a lot about, you know, you can't just contain everything. They actually have to work. Okay.

Corey Quinn: Unplug it, sink it in concrete, and drop it in the ocean. It's mostly secure then, but that's not the most usable product.

Ann Johnson: No it's not. So I think that AI has a lot of promise for devices. I also think we're, everything has an identity, right? Everything has an identity in the world of computers.

We're pretty decent as a industry in managing human identities. We are lousy about managing service identities, machine identities, device identities, et cetera, et cetera, et cetera. I think those are the places where AI can make a big difference, and it's nascent, right? Everyone's rushing to solve the Security Operations Center.

That's fantastic. I'm really thrilled that we're seeing all this innovation and SIM and Soar and next gen graphs and all of that, because that's a big lift, but we need to get really good at things like identities and devices.

Corey Quinn: Increasingly, this is feeling like the needle in a haystack problem.

There was a report that came out recently that, that highlighted a fact I didn't know, which is that apparently over in Azure Land or Microsoft 365, that the line gets blurry sometimes. I don't play in that space, so apologies for any misspeaks, that every time a user gets an entitlement for a different product, it represents a different role or identity as a part of that, which, okay. I'm not criticizing the security model, but I know that when you have hundreds upon, hundreds upon hundreds, if not add orders of magnitude to that number of roles, finding the needle in a haystack, that's the problem. Ooh, that's an over scope thing that just has way more permissions than it needs, becomes intractable for humans to tackle.

I want the computer to be better at finding those things for me.

Ann Johnson: Yeah, and I, by the way, I'll say this, I don't know if that's the exact architecture, so I, we're just gonna illustratively use it, right? I would have to go look.

Corey Quinn: Yes. If it's not true, something directionally like that exists somewhere on the planet.

Ann Johnson: Let's say it's directionally correct. We do create, and it is a computer problem. We do create way too many ethereal identities, right? We do create way too many. Ann Johnson is way too many things in too many places that are unmanageable, and every interaction I make, remember, everything I make has its own unique noise, and its own unique signal, right?

So the computer AI can make us a lot better at that. We just have to get there, right? We just have to get there.

Corey Quinn: I think that there's also a misunderstanding because the term "AI" is starting to mean a whole bunch of different things. You talk about trying to predict the impact of climate change. There are ways to do that with analysis of statistical models and feed that in.

That is not the same thing as asking ChatGPT, "Predict what's going to happen," and it just spits out a bunch of words that it predicts and sounds incredibly confident. But yeah, that turns out that's not a qualification in its own right.

Ann Johnson: So you'll appreciate what I'm about to tell you, 'cause we talked about the fact that I have, you know, communications undergrad degree. My graduate degree, which at some point I'll actually finish, is in statistics because it's a passion for me. And yes, I know that makes me, you can judge me on that.

Corey Quinn: Combine them and you're talking about numbers all the time.

Ann Johnson: Yeah, that I love statistics and you can judge me. You're allowed to judge me for that. To your point, statistics as we think about it today is point in time or look back, right? What I'm talking about is predictability and you actually have to be able to reason over all that data to say, "Okay, the climate in Sub-Sahara is going to become unsustainable in this particular microclimate in 2040," and we need to think about how we either make that, make the changes we need to, we might be too late, who knows?

Or how we're gonna orderly migrate that population so it doesn't become this issue that we have today with populations migrating because they're running from whatever harms, right? And that's the stuff I'm talking about AI doing that is very different than looking at statistical modeling and understanding what's happening today or going back in time and understanding what's happening.

It's one of the things, and I'll just make this one comment, and I'm gonna be nonpartisan saying, it's one of the things that makes like political polling so difficult because everything you do is a point in time and a reflection on the day you found the person and that. Doesn't give you any predictability honestly, on how they're actually gonna vote, believe it or not.

Because you could have a favored candidate today, and tomorrow they get up, and you're polled today, and tomorrow they give some speech, and you just say, you know what? I'm gonna stay home or I'm gonna go vote for the other guy or other gal. So it's one of, the statistics is wonderful if you understand what statistics is.

Corey Quinn: Numerical literacy is not historically something that has been emphasized in most public school curricula, or private for that matter.

Ann Johnson: It's not, and we need to, we obviously, I fund a couple scholarships. I've been, I've told you, I've been very privileged in my life. I grew up very poor. I funded school myself. So now with the two, I went to junior college by the way, to start, and then I went to what we call community college, and then I went to a state school, and I fund scholarships for them both in STEM, because STEM for underprivileged youth, because I'm like, we just have to get that education out there. I understand that, you know, having a degree that's, you know, not in STEM has not held me back, but a lot of the world has changed rapidly. Technology's changed. I look at my daughter. My daughter's early twenties, I should remember exactly how old she is. This is terrible. My daughter's early twenties. The kid I gave birth to, I can't remember exactly how old she is. But anyway.

Corey Quinn: It was some time ago.

Time got weird during the pandemic. What? We have a fudge factor in there.

Ann Johnson: Yeah. She's early twenties, right? And I look at her generation and the generation below her, they're digital natives, right? They are digital natives. She had a whatever the device was in her hand, you know, when she was a toddler, right? And she's had an iPhone since she was 13. You know, they're digital natives. So STEM is just so incredibly important.

Corey Quinn: I agree. I worry sometimes in some aspects that they're gonna over index on that to the expense of the humanities where, okay, great, you can do a lot of math. That's great, but you need to be able to have something to, to do that about something.

There's a, we can't replace every facet of humanity with AI and I would argue we shouldn't try.

Ann Johnson: No, we should not try.

Corey Quinn: Even with music is one of those things where I find that particularly tone deaf way to start exploring AI. Music is the soul of humanity, whether we like it or not. Watch a sad movie without a soundtrack.

You don't cry. It's very much tied to the human experience. We're gonna have computers do that now. I don't know that that's the message you think it is.

Ann Johnson: Well, I worry about this generation that's coming up. I was reading that reading, like when I, they were talking about reading since just the year 2000.

By the way, kids, since the year 2000. It's gone from like 80 to 20% of kids read weekly. And I'm like, that's horrible. And to your point, music's evocative. The [unintelligible] is books. I don't want AI writing books. You know, I read a lot. I'm a gracious reader, and I like the fact that a lot of authors play, you know, "No part of this book was produced by AI." You know, they put that right in the beginning of the book because these, this is art, right?

Art, yeah, there's a place for AI. I just, you know, there's a place where it probably should stay away from too.

Corey Quinn: Yeah, I wholeheartedly agree on that front.

I wanna thank you for taking the time to speak with me. If people wanna learn more, where should they go to find you?

Ann Johnson: They can find me on LinkedIn as Ann Johnson.

If they want to genuinely wanna learn more about Microsoft, obviously we have a Microsoft Security website. And then I have, and I wanna thank you, and if you don't mind my own plug, I have my own podcast. Maybe we'll have you on. A reciprocal one. They can find me at afternooncybertea.com.

Corey Quinn: And we'll put links to all of that in the show notes.

Thank you so much for taking the time to speak with me. It's great to finally have a conversation like this that isn't entirely basically Twitter, random passings in the night.

Ann Johnson: Thank you for inviting me. Thanks for making the time.

Corey Quinn: Ann Johnson is the Corporate Vice President and Deputy CISO of Customer Security Management Office at Microsoft.

I'm cloud economist Corey Quinn, and this is Screaming In the Cloud. If you've enjoyed this podcast, please leave a five star review on your podcast platform of choice. Whereas if you hated this podcast, please leave a five star review on your podcast platform of choice along with an angry comment pointing out that nine years at Microsoft is still very much the new kid, and then go download the next episode onto your Zoom.